pbpbb v.2.0.13 ---> HACKED

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sun Apr 10, 2005 1:09 am

Now that's BAD news. :(
Did you see anything unusual anywhere in di forum directories and database? Probably they planted a backdoor somewhere after their first hack. Check if there exists 777 permission on any of the files/directories.

Maaann.. we need to find the cause asap. If we can point where the entry was, then we can close it.

dbdummy
Registered User
Posts: 319
Joined: Mon Dec 27, 2004 9:22 pm
Location: arizona
Contact:

Post by dbdummy » Sun Apr 10, 2005 1:46 am

Mike, since you used your previous database. Not exactly a FRESH install...have you made sure that on the attack you had [when you had 2.0.8] that they did not make themselves an admin? use star's admin toolkit..someone here should be able to give you a link to it...at the moment, I am on my own quest for a MOD answer.

I don't doubt this version is hackable...but I think someone had admin rights to your board and you just don't know it. And, since I know you used your previous mysql database, they would still have admin rights.

CLee
Registered User
Posts: 511
Joined: Fri Nov 23, 2001 2:42 pm

Post by CLee » Sun Apr 10, 2005 1:49 am

See what happens when you stop flame baiting and provide information that is useful to solving the problem. You get a lot more cooperation from people.

Other things to check for, scrub your user list of anyone who shouldn't be an admin or moderator. Change your passwords again in the event he/she snagged a copy of your database. Back up config.php, delete all files in the forum directory and install a fresh copy to the server, then check the backed up copy of config.php for anything that sees to not belong there before uploading it back to the server. Make sure that there are not any unknown files or verify every file that has been recently modified anywhere on your website. Actually, if I had a pre-hacked version of the website on backup I would wiping out the entire website and upload the backup copy. And once again, check your webserver logs for any suspicious behavior around the time of all of the attacks. If it appears to involve phpBB, then post those portions of the logs to the security tracker for further evaluation.
Carlos Myers
A+, Network+
Member - Star Wars Roleplaying Club

dbdummy
Registered User
Posts: 319
Joined: Mon Dec 27, 2004 9:22 pm
Location: arizona
Contact:

Post by dbdummy » Sun Apr 10, 2005 1:52 am

Actually, whist searching for my mod, I came across the admin toolkit

http://www.phpbb.com/phpBB/viewtopic.php?t=232010

hth

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 2:09 am

have you made sure that on the attack you had [when you had 2.0.8] that they did not make themselves an admin? use star's admin toolkit..someone


bah, the last thing i want to do is add another modification when im trying to get arid of this hacking crap..

Isnt there another way to find out who all the admins are? and just make them moderators?

It seems like all he is doing is changing the title and description now.

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 3:11 am

My database is like a 100mb's.. Is there a way to analyze the individual database files so i could find out if there are any hidden admins? is there a specific file i should be looking into?

also, if anybody here would be willing to examine my database, i'd be happy to share... aslong as your an admin or something.

Im going to try a fresh new install again soon...

also, is it ok if i leave the 100mb database in place and install the fresh version of PHPBB2 on top?

or do i have to remove the database...except for the empty folder....and then install PHPBB2 ? The first time i did it...i only had the empty database folder..

flogger12
Registered User
Posts: 14936
Joined: Tue Nov 25, 2003 2:13 am

Post by flogger12 » Sun Apr 10, 2005 3:44 am

not sure what you mean by the database folder, the database is not in the phpbb folder or files. it is completely separate from the phpbb files.


that toolkit from starfox is not a MOD it is a very useful tool to check your database for admins that shouldn't be there, it runs independently of phpbb.

the things you describe are the exact things that version 2.0.13 fixed, that was the only thing that the upgrade from 2.0.12 did , was to close that vulnerablity.

you have to clean up your database before you can get past this, you can install phpbb 100 times but if you don't clean the database and/or the rest of your server, he will continue to get in and hack you.

get rid of every single admin that you find, register with a new name and then make that new name admin, (use a new password) then delete your old admin name and password.l


robert

who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares » Sun Apr 10, 2005 4:11 am

dbdummy wrote: Actually, whist searching for my mod, I came across the admin toolkit

http://www.phpbb.com/phpBB/viewtopic.php?t=232010

hth

Give the toolkit a try on your main database.
Aslo create a new db and a fresh install without the banner. If that gets hacked then 2.0.13 in open to attack.
Otherwise You need to backup config.php and your images and re-upload the phpBB files, restore the backups, and comb through your database for security gaps.

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 4:15 am

i'll give the toolkit a try...

not sure what you mean by the database folder, the database is not in the phpbb folder or files. it is completely separate from the phpbb files.


What i mean is can i have the 100MB database in place while installing a fresh version of PHPBB2? Or does the MYSQL database have to be removed first before installing PHPBB2?

who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares » Sun Apr 10, 2005 4:18 am

does your host let you create multiple databases?

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 4:25 am

yea..please answer my first question first though.

who_cares
Registered User
Posts: 5106
Joined: Fri Jan 14, 2005 11:04 pm
Location: ATL
Contact:

Post by who_cares » Sun Apr 10, 2005 4:28 am

if you can have more than one db then simply create a 2nd db

nurhendra
Registered User
Posts: 144
Joined: Mon Feb 28, 2005 5:03 pm
Location: Jakarta

Post by nurhendra » Sun Apr 10, 2005 4:53 am

Because the hacker only changed the site title and description, it seems like he/she can only access your site through your account, and not from the hosting because if he/she hacked your host then he/she should be able to just change the .php .tpl files directly.

So, the hacker changed the title/description, either from the ACP and/or from the database itself.

As many already suggested, make sure no one else is admin (use phpmyadmin and do sql: SELECT * FROM 'phpbb_users' WHERE user_level = 1

Also, change the password to your db (the one that shown in config.php). This way, hopefully, the hacker cannot reaccess your db again.
Then, password protect (using .htaccess) your /admin/ directory, with different user/pass. This way, even if the hacker have userlevel admin, then he/she still cannot access ACP.

And lastly, check the board file for strange files, i.e. a PHP file that didn't do anything but just doing sql update for a specific entry.

But importantly, keep us posted of what happened, so everything will be in the clear.

PhySc0
Registered User
Posts: 141
Joined: Sun Feb 20, 2005 1:57 pm

Post by PhySc0 » Sun Apr 10, 2005 5:01 am

Seem's as though this topic I created really took off whilst I have been offline.

The mention of the "Black Label Crew".... Thats the retards that did this! for those of you who mentioned this name, I am assuming your saw the name in the page caption after the site was hacked? Can you tell me if there was another name there? Does anyone recognise "J_a_M_e_S" ?

I have decided to go the long route, and I have completely moved to a new much more secure host. I can tell anyone in detail how this hack occurs if they would like to contact me. I belive I have actually found the source of the hack, its displayed in balck and white on a website for all to see. The hack uses a MySQL injection to the viewtopic.php file, though clearly looking at this site, there is much vulnerablity in 2.0.13 and this is one of many hacks and exploits availible. Almost anyone can make themselves and admin....

What I found happened to my board was that the hacker made himself an admin and then created a new style he so conveniently called "BLAHHHH" which bassically made everything black, very very simple when you look at how its done!

Like I said I have moved to a more secure host/server and have created a new database, and a new version of phpbb installed. I then re-modified all the new files to make home for the MODS and used what I could of the old database to try and salvage my userbase.

mikeinjersey
Registered User
Posts: 199
Joined: Thu Aug 14, 2003 11:56 pm

Post by mikeinjersey » Sun Apr 10, 2005 5:13 am

As many already suggested, make sure no one else is admin (use phpmyadmin and do sql: SELECT * FROM 'phpbb_users' WHERE user_level = 1


Nurhendra, so does this mean i dont need to install this toolkit or whatever? I already have phpmyadmin installed.

Locked

Return to “2.0.x Support Forum”